CVE-2025-5443 is a medium-severity OS command injection vulnerability affecting multiple Linksys range extender models, including RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, across several firmware versions (1.0.013.001, 1.0.04.001, 1.0.04.002, 1.1.05.003, and 1.2.07.001). The vulnerability resides in the wirelessAdvancedHidden function of the /goform/wirelessAdvancedHidden endpoint. Specifically, the parameters ExtChSelector, 24GSelector, and 5GSelector can be manipulated to inject arbitrary OS commands. This flaw allows an unauthenticated remote attacker to execute system commands on the device without requiring user interaction or prior authentication. The vulnerability is remotely exploitable over the network, potentially enabling attackers to compromise the device's operating system, gain control over the device, and pivot into the internal network. Despite the critical nature of command injection vulnerabilities, this issue has been rated medium severity with a CVSS 4.0 score of 5.3, reflecting some mitigating factors such as limited scope or impact on confidentiality, integrity, and availability. The vendor has not responded to early disclosure attempts, and no patches or mitigations have been officially released. Public exploit code has been disclosed, increasing the risk of exploitation in the wild.

For European organizations, this vulnerability poses a significant risk to network security, especially for those relying on Linksys range extenders in their infrastructure. Successful exploitation could lead to full compromise of the affected devices, allowing attackers to intercept or manipulate network traffic, establish persistent footholds, or launch further attacks against internal systems. This is particularly concerning for enterprises, public institutions, and critical infrastructure operators using these devices to extend wireless coverage. The lack of vendor response and absence of patches exacerbate the threat, as organizations may be forced to rely on workarounds or device replacement. Additionally, the remote and unauthenticated nature of the exploit lowers the barrier for attackers, increasing the likelihood of targeted or opportunistic attacks. Confidentiality, integrity, and availability of network communications could be impacted, potentially leading to data breaches, service disruptions, or lateral movement within corporate networks.

Given the absence of official patches, European organizations should immediately identify and inventory all affected Linksys range extender models and firmware versions within their networks. As a temporary mitigation, affected devices should be isolated from critical network segments and the internet to reduce exposure. Disabling remote management interfaces and restricting access to the wirelessAdvancedHidden endpoint via firewall rules or network segmentation can help limit attack vectors. Network monitoring should be enhanced to detect unusual command execution patterns or traffic anomalies indicative of exploitation attempts. Organizations should consider replacing vulnerable devices with models from vendors providing timely security updates. Additionally, implementing strict network access controls and employing intrusion detection/prevention systems can help detect and block exploitation attempts. Regular firmware audits and proactive vulnerability management processes should be established to prevent similar risks in the future.